EFF Asks California AG to Close Loopholes, Respect "Do Not Track" With Regulations

EFF Asks California AG to Close Loopholes, Respect "Do Not Track" With Regulations

Today, EFF once again joined a coalition of privacy advocates filing comments with the California Attorney General (AG) on the latest proposed regulations for the California Consumer Privacy Act (CCPA). The CCPA was passed in June 2018 and took effect on January 1, 2020. Later this year, the AG will finalize regulations that dictate how exactly the law will be enforced.

While the first set of proposed regulations were (as we wrote at the time) a “good step forward” that could have gone further, the first revision to those regulations—published earlier this year—was largely a step backwards for privacy. Two weeks ago, the AG released a second set of revisions to the draft regulations, available here. [.pdf] With the enforcement deadline approaching, the public is running out of chances to weigh in on the rulemaking process. Some of the worst features of the regulations have been cut, but this round of modifications still falls short of a user-friendly implementation of CCPA. In fact, some new provisions added this round threaten to undermine the intent of the law.

For example, the CCPA sets aside a special set of companies, called “service providers,” which are exempt from certain parts of the law. Consumers can’t opt out of having their data sold to service providers in some interactions. In exchange, CCPA is meant to tightly restrict the ways service providers can use data they collect. However, the new draft regulations would greatly expand the ways service providers may use personal data, even allowing them to build profiles of individual people. The new regulations would also allow data brokers that collect information directly from consumers to avoid notifying them of the collection.

Other issues remain from earlier drafts. The latest draft still makes it hard for consumers to exercise their right to opt out of the sale of their personal information. Businesses may not need to treat clear signals like Do Not Track (DNT) as requests to opt out of sale.

Finally, some industry advocates have asked the AG to extend the enforcement deadline—by 6 months or more—amid the global health crisis. But the CCPA went into effect on January 1st, 2020, more than 18 months after its passage, and companies should already be complying with the law. Now, more than ever, consumers need the legal protections offered by CCPA. The AG should not extend the enforcement deadline on behalf of companies who would violate user privacy and the law.

Our coalition letter goes into more detail about these and other issues we have identified with the latest draft regulations. We urge the Attorney General to close business-friendly loopholes and make the CCPA an effective, enforceable tool for user privacy.

Related Updates

The full weight of U.S. policing has descended upon protesters across the country as people take to the streets to denounce the police killings of Breonna Taylor, George Floyd, and countless others who have been subjected to police violence. Along with riot shields, tear gas, and other crowd control...

Your phone is your life. It’s where you communicate, get your news, take pictures and videos of your loved ones, relax and play games, and find a significant other. It can track your health, give you directions, remind you of events, and much more. It’s an incredibly helpful tool, but...

EFF has joined a broad coalition of civil liberties, civil rights, and labor advocates to oppose A.B. 2261, which threatens to normalize the increased use of face surveillance of Californians where they live and work. Our allies include the ACLU of California, Oakland Privacy, the California Employment Lawyers Association, Service...

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in...

When it comes to surveillance of our online lives, Internet service providers (ISPs) are some of the worst offenders. Last year, the state of Maine passed a law targeted at the harms ISPs do to their customers when they use and sell their personal information. Now that law is...

COVID-19, and containment efforts that rely on personal data, are shining a spotlight on a longstanding problem: our nation’s lack of sufficient laws to protect data privacy. Two bills before Congress attempt to solve this problem as to COVID-19 data. One is a good start that needs improvements. The other...

In a landmark decision, the German Constitutional Court has ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional. Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and...